How to configure IPSEC encryption with the Cisco IOS (site to site VPN tunneling)

The OSPF dynamic routing protocol is probably the most popular LAN routing protocol today. OSPF can scale to the largest LANs but can also start out small. While OSPF can be complex to configure, its basic configuration isn’t difficult. Let’s learn how to configure OSPF in the Cisco IOS.

Sponsored

What do you need to know about OSPF?

IPSEC VPN Configuration in the Cisco IOS is not an easy task. For even experienced IT Pros, if you have never configured a Cisco IOS VPN, attempting to configure it can be frustrating and complex. In this article, we will look at a working Cisco IOS IPSEC VPN configuration and dissect the important parts to help you understand this very useful configuration.

What is an IPSEC VPN?

IPSec (or IP Security) offers methods to authenticate and encrypt IP traffic as if traverses a network. By doing this, that traffic can remain secure in transit. VPN (or virtual private networks) are created when network traffic is tunneled through another network. In our case, we are using IPSec to encrypt the VPN tunnel.

A site to site VPN tunnel is just a VPN tunnel that is, usually, permanently connected and used to connect two networks through another network (usually through the Internet). The Cisco router IOS can be used to create a site to site VPN tunnel using IPSec. You could connect a Cisco IOS router to another router, a Cisco PIX, Cisco ASA, or other brand of router/firewall. You should note that the IPSEC/FW edition of the Cisco IOS is required to perform the VPN (crypto) commands shown below.

Our Sample IPSec VPN Configuration in the Cisco IOS

Here is a sample Cisco IOS site to site VPN configuration using IPSEC for encryption:

Now, let’s examine this configuration with the goal of helping you to understand it, be able to implement it, and troubleshoot it.

Our Sample IPSec VPN Configuration in the Cisco IOS – Explained

Let’s start from the top of the configuration and go down.

1. The crypto policy- used to define what the ISAKMP security settings will be between these two peers. In our example, we set the policy to use IPSEC (with the 3des encryption) and the authentication is set to pre-shared.

Sponsored

Sponsored

2. The crypto key – used as the pre-shared key between the two routers forming the IPSec VPN

3. The ipsec transform-set – used to set the IPSec encryption settings between the two routers forming the IPSec VPN

4. The Access-list – the ACL is very important as it defines what traffic is and is not encrypted between the two routers. If the traffic is not permitted in the ACL, that traffic is not encrypted.

5. Creating the crypto-map – the crypto-map is what brings the policy, key, transform-set, and access-list all together. You define the name of the crypto-map and that name is then used to apply the crypto-map to the interface.

6. The crypto map command – you will notice on the Fa3/0 interface the crypto map {cryptomap1} statement. This is the last statement that should be added to the configuration. This is where the VPN tunnel is actually applied. Applying this enables the tunnel. Notice how the crypto map has a name (which we named “Cryptomap1″). Crypto-maps can have many line numbers. Notice the “10” above, that shows that we are configuring line 10 of the crypto-map. From there, you could add lines 20, 30, and so on.

When the router boots up, the VPN is down. The encrypted tunnel is formed when the first packet is sent that matches the ACL.

The router that this router is connecting to, on the other side of the tunnel, would have all the same settings except the IP addressing would be reversed.

In Summary

In this article, we learned what an IPSec site-to-site VPN is and we showed a working configuration. From there we dissected that configuration, line by line, to help you understand it. IPSec VPNs are critical connections for most businesses today. Undoubtedly, you will come across a Cisco IOS VPN configuration at some point. Being able to quickly comprehend and troubleshoot these complex configuration just might save your day!

Join The Conversation

Sponsors

Founded in 1998 by Daniel Petri, Petri IT Knowledgebase serves as one of the world's leading IT-related content and community sites and our forums are a popular online destination for system administrators to network and exchange information with peers.